Shame on MacRumors

I'm disappointed in MacRumors. Someone posted a buggy executable on a forum and tricked some of the users into running it before it was taken down by admins. For some reason, this was treated as a full-blown malware incident, and now it's on the international newswire as "the first OS X trojan found."

People writing malicious scripts and executables for UNIX-based systems is nothing new. There have been several trojans targeting OS X in the past five years. One deleted your Home folder, while another used the same icon swap trick to get users to run it, masquerading as an MP3. OS X trojans almost always require user intervention to activate, which is why they remain proof-of-concept trojans that don't spread to any measurable degree in the wild. This trojan is no different from MP3Concept and other trojans from the past that didn't go anywhere.

MacRumors didn't mention that this trojan is the same as other past trojans written for OS X. Instead, it was treated as the "first," a monumental event for OS X users. Newbie Mac users have latched onto this and grown afraid of random infections from the net, as though some can of worms (no pun intended) has been opened when, in fact, nothing is different today than from any other times trojans were written for OS X in the past five years.

The wording of "First OS X Virus" caused the story to get picked up by bigger news outlets. So now, what was a minor incident on a web forum that affected a few users who were tricked has now become international news, from Reuters to the BBC, all reporting on the "first" OS X virus that is "making the rounds." Even though neither is true.

The MacRumors announcement should have been worded like the following:

Quote

A malicious executable was posted on MacRumors Forums last Monday, disguised as a compressed file containing Mac OS X Leopard screenshots. After some users attempted to open the file in the compressed archive, it was discovered that the file was a disguised UNIX executable that attempts to copy itself to other files on the user's system and spread via iChat.

The file uses the same technique as past trojans like MP3Concept to disguise the document icon and trick the user into executing the program. Contrary to popular belief, there have been many trojans written before that have targeted the Mac OS X platform. Note that these trojans, like this one, require user intervention--and non-admin users are presented with a password on execution--which greatly decreases malware propagation. As with any operating system, MacRumors recommends users do not open files from untrusted sources.

Click to expand...

Calm and rational and mentioning the fact that this is nothing new to OS X and is an isolated incident to the MacRumors Forums. Not the "first" trojan that's making the rounds out in the wild. The important point is that OS X remains unplagued by viruses and trojans because propagation is not automatic and requires user intervention due to the system's built-in security, which is what people refer to when they say the OS X platform is generally unaffected trojans and viruses. And that's just as true today as before last Monday. Boo to MacRumors for not handling it better and initiating fear-mongering from the likes of Symantec.

I agree. It got picked up on Drudge, too, which affects AAPL price and was way overblown. All our reactions on MR were amateurhour. But then again, I've noticed lately that all the mainstream press seems to be amateurhour -- they never do their homework. They basically released a statement from an Anti Virus company, who was rubbing their hands at the prospect of some Apple anti virus business...

But somehow, methinks all that chaos was the intent of the trojan writer.

ALso, I was on that original thread, and there was this other newbie, PC ENTHUSIAST, who was a bit too enthusiastic about talking about the trojan. Once I mentioned the coincidence that a newbie posted the trojan and here was this other M$ friendly newbie encouraging more fearmongering, I wondered if it might just not be the criminal returning to the scene of the crime.

It's been a (quite possibly extremely valuable) learning experience for all involved. If it's woken mac users up to the inherent susceptibilities present in ANY system, and to the inherent abilities of X to limit it which many users were either ignorant of or just too lazy to implement (me ), then that's a good thing.
No shame required. Hoorah for MR.

Staff Member

The front page story was indeed rushed up... but this had to be done due to the fact that the thread had already been linked on "digg" and was making its way to the front page of digg. At that point, the story was out, so I decided to post a story with all information available at that time to consolidate the progress on the analysis.

If it hadn't been posted to digg, I probably wouldn't have posted it until the analysis was done.... but you do what you can.

The whole virus vs trojan thing, imo, is a ridiculous debate. Once upon a time... there was one entity. it was called a Virus. Since then, there has been further subclassification that most lay-people don't know or care about.

The bottom line is that this is the first Mac OS X application "in the wild" that was designed to inject itself into other applications to propogate itself. Some people continue to harp on the fact that it has to be user triggered. Some of the biggest Windows virus/worm/trojan applications have been user activated attachemetns. By saying "it's just a trojan", you are missing the point, and that's the underlying intent of the application. And that is a first, on Mac OS X.

p.s. The original digg story title was "First Mac OS Virus", so the Mac Ruimors story was based on that... and since it was unclear what the outcome was going to be at that early stage, it was entitled "The First Mac OS X Virus?" as an open question.

I blame the antivirus companies for maintaining the uproar. I believe it's called marketing and after five years of very limited opportunities, I don't blame them.

I subscribe to C|Net's news service and this morning received two emails about potential viruses (this one and the BlueTooth propagating one, if they can be called viruses) yet four emails about critical Windows viruses. We've got a long way to go before I start worrying.

I assume you mean the MacRumors:Forums regulars, not the MacRumors staff. Given that the virus was posted in a forum thread and that is where the news broke; and given that Digg and Slashdot picked up on the story very fast, I don't know what the MacRumors staff could have done differently other than take the forums offline (not something I would have wanted to see happen).

I think that arn acted very professionally. At each stage, he was careful to clarify what was facts and what was speculation keeping a level head while all around were loosing theirs

The scriptkiddieWhat were his/her motives?

The two bugs in the code are such an amateur mistake to make (when other bits of the code are fairly advanced in relative comparisson) that it seems unlikely that they truely were mistakes and not a conscious choice. Or perhaps the author simply assembled sample code snippets from various tech. docs into a cohesive whole?

I wonder how the scriptkiddie came by his/her nick? Do they harbour some warped view that Apple or Mac users need to take action to improve security on the platform and thus the ends justify the means? Perhaps their nick means nothing and I am just giving the author way too much credit? Maybe the intent really was malicious.

I disagree with the original poster. I'd like to thank Arn for making us all immediately aware of this issue. This is the only Mac news site I regularly visit, and I rely on it for everything. I'm glad that MacRumors lived up to its reputation by making sure we Mac users were properly informed.

The front page story was indeed rushed up... but this had to be done due to the fact that the thread had already been linked on "digg" and was making its way to the front page of digg. At that point, the story was out, so I decided to post a story with all information available at that time to consolidate the progress on the analysis.

Click to expand...

The time factor is understandable, but I'm surprised none of the MacRumors staff appear to have recalled or were aware of all the other viruses and trojans that have been written in the past. I was reminded of MP3Concept and Opener.

Quote

The whole virus vs trojan thing, imo, is a ridiculous debate.

Click to expand...

My disagreement is not over terminology, but over implying it was the "first," which gave the impression that some sort of security wall had been blown open, and that Mac users were now fair game. Somebody should have pointed out that trojans and viruses have targeted OS X since it came out. Had you contained the fervor, maybe we wouldn't be seeing "First Virus Discovered To Target Macintosh PCs" on DrudgeReport right now. At the least, any journalists writing about the story and visiting MacRumors for source info might have gotten some accurate backstory, which was that this was an isolated incident of a guy tricking some people into running his app on a web forum. Even Slashdot corrected its report to downplay what was actually a "simple Trojan Horse" that requires "manual user interaction to launch the executable."

Quote

The bottom line is that this is the first Mac OS X application "in the wild" that was designed to inject itself into other applications to propogate itself.

Click to expand...

Propagation isn't new to malware targeted at OS X. The fact is these things require a lot of user intervention to spread, so even after attempting to propagate, they don't automatically infect anyone else. There has yet to be a successfully auto-propogating OS X virus.

Quote

Some people continue to harp on the fact that it has to be user triggered. Some of the biggest Windows virus/worm/trojan applications have been user activated attachemetns. By saying "it's just a trojan", you are missing the point, and that's the underlying intent of the application. And that is a first, on Mac OS X.

Click to expand...

That is incorrect. It is not the first user-activated, malicious trojan written for Mac OS X with bad intentions. How can you claim this?

Quote

p.s. The original digg story title was "First Mac OS Virus", so the Mac Ruimors story was based on that... and since it was unclear what the outcome was going to be at that early stage, it was entitled "The First Mac OS X Virus?" as an open question.

Click to expand...

Someone should have known better. Instead of treating this as the dark, monumental discovery of the first OS X virus, someone should have referenced past trojans/viruses and set the record straight. But I have a feeling people will forget about this in a year like they did with all the others, and the next time someone tricks people into running their executable, we'll get the alarmist reactions from the Mac community all over again about the "first OS X virus/trojan."

Staff Member

The time factor is understandable, but I'm surprised none of the MacRumors staff appear to have recalled or were aware of all the other viruses and trojans that have been written in the past.

Click to expand...

MacRumors has been covering Trojan stories (example) for years and never reported that this was the first Trojan for Mac OS X. Forum members pointed that out too soon after the story broke. Deciding whether this is the first "harmful" one is a matter of opinion, since no Trojan has done widespread damage so far, so we're using a very small scale, from "none" to "very minor".

Quote

But I have a feeling people will forget about this in a year like they did with all the others, and the next time someone tricks people into running their executable, we'll get the alarmist reactions from the Mac community all over again about the "first OS X virus/trojan."

Click to expand...

Agreed. People who don't bother with facts or details or already have set-in-stone opinions of Mac OS X (love it or hate it no matter what) won't be swayed by this "incident". And the rest of us will see security issues like this in the proper context, which headlines can't easily convey.

I take issue with the title of this thread. In fact, MR deserves kudos for their prompt and straight up dissemination of information and updates as they unfolded, citing the compiling of Andrew Welch and referring posters to various, pertinent threads. I think MR showed wise restraint in refraining from editorializing while providing adequate information which in turn enabled posters to search, reference and form their own conclusions.

I saw only factual articles coming from MacRumors, and lots of intelligent AND moronic responses from lots of people. Seems to me that the OP is basing their opinion on the latter. I, for one, would like to extend my thanks to MR for the way they handle any sensational topic.

I saw only factual articles coming from MacRumors, and lots of intelligent AND moronic responses from lots of people. Seems to me that the OP is basing their opinion on the latter. I, for one, would like to extend my thanks to MR for the way they handle any sensational topic.

Click to expand...

I'm basing my opinion on the lack of factual information in MacRumors' initial announcement, with a title that was worded as "First OS X Virus?" and neglected to mention past viruses for OS X. It gave the impression that this was the first functioning malware ever written for OS X, which caused a lot of fright for Mac users who thought a pandora's box had just been opened, as well as fueling a ton of incorrect reporting from major news outlets.

Mentioning past viruses would have made people realize the Mac platform has been surviving these kinds of attacks for the last five years, and that this is nothing new. Even ZDNet is acknowledging the hyped reporting that floated around during the week, and Paul Thurrott at Wininformant mentioned an older worm that deleted your Home folder and correctly informed readers that this wasn't anything new. SH/Renepo-A, aka "Opener," was a UNIX script that disabled your firewall, turned off your system logging so you couldn't track it, harvested your passwords, installed a backdoor for future infections, and copied itself to your startup folder and any mounted network drives. Leap.A wasn't the first OS X virus.

Acting like this was the first malware ever made the incident appear much more monumental than it actually was, and it certainly didn't deserve the alarmist reaction it received here and in the press. Leap.A wasn't discovered by security researchers out in the wild; some guy tricked a few people on the forums here into running his UNIX executable. The story was given a much grander scale than warranted (hello, Drudge Report), and MacRumors did nothing to stop it since it happened on their site. The executable's author couldn't have asked for better publicity, so that's why I said shame on MacRumors for not quelling the fiasco and recognizing it as a minor incident.

I understand slb's points, and, while I don't agree with many of them, I do understand where he's coming from ("he" is an assumption, apologies if I'm wrong).

There was, clearly, a bit of a stir raised over this. A different reaction from MR members and staff could have reduced or eliminated that stir.

However, I don't think it's reasonable to expect that reaction to have occurred.

First, forum members have no moral or ethical obligation to hide any news which might indicate a lack of absolute safety for users of OS X. I think that's pretty indisputable - barring obscene or harassing posts, members can, in essence, say anything they want.

Second, MR staff members also have no moral or ethical obligation to hide any news which might indicate a lack of absolute safety for users of OS X. Not only are the staff doing this out of the goodness of their hearts (or an urge for power, or basic masochism, or maybe arn secretly reaps millions from the site and the medical thing is a ruse to cover the fact that he lives on his own private island, posting for a year as Lacero... but I digress), anyway, as I was saying, out of the goodness of their hearts, but the site is a private one and there are no rules saying it exists to ensure that people have a warm and fuzzy feeling about Apple products.

Someone released a virus/trojan/call-it-what-you-want here. Some people were affected. Fortunately, no real damage was done. Was it the first? No. But it set a dangerous precedent in what it tried to do. Should the site have tried to minimize reports on what happened so that Drudge wouldn't say things that made Apple stock fall? No.

Someone did a bad thing and posted a malicious file here. People freaked. They overreacted. The world found out. Macs aren't viewed as being as safe as they were seen to be a week or two ago.

Big deal. First, that overreaction and news has caused many people to do basic things they should have done, like create separate admin accounts (not their fault, as Apple never told them to or helped them to do so during setup). Like think again about clicking on anything just because they're on a Mac. Like consider possibly not downloading something just because it seems all sparkly and pretty.

Second, maybe the news will cause Apple to redo their initial setup of the Macs, or at least some aspects of security, so as to reduce the possibility of a genuinely malicious version of this attack spreading like wildfire.

Could the site have downplayed what happened? Yes.

Should it have? No. Not only was what was said accurate at the time it was said, and not only was it posted by staff members who are not doing this for the money, and not only is this site not obligated to shine a rose-colored light on all Apple news, but the reaction to the story and threads was, overall, good for people.

Staff Member

Leap.A wasn't discovered by security researchers out in the wild; some guy tricked a few people on the forums here into running his UNIX executable. The story was given a much grander scale than warranted (hello, Drudge Report), and MacRumors did nothing to stop it since it happened on their site. The executable's author couldn't have asked for better publicity, so that's why I said shame on MacRumors for not quelling the fiasco and recognizing it as a minor incident.

Click to expand...

Hey... this is "the wild". Seriously. A malicious program was posted by an unknown user into a public forum with no warning that this was an experiment or a benign application. It's certainly easy to say that in retrospect, after it's been fully analyzed, that it's a minor threat. But this was NOT known at the time.

What if the application had sent itself by email to everyone in your address book with the title "Latest Mac OS X Leopard Pictures." If so, then it would have been grown enormously. But wait.... it doesn't do it? Did you know that on Wednesday night? I didn't.

Besides... I don't actually believe that MacRumors response to it would have made a measurable difference in the mainstream-press it got, since it had already been popularized by digg. (Remember posting the front page story was trying to "damage control"/provide an analysis for the original digg story.) Most of the news reports are referencing Sophos and other security companies who made published press releases that morning claiming it was the first virus link.

Believe me, I understand the frustration with over sensationalized stories... I make it point to combat it... but in this situation, it played out as best it could without being able to predict the future.

Your request to link past trojans/malware is noted, and we probably should have done that, but again... at the time we were still figuring out what it was.

Besides... I don't actually believe that MacRumors response to it would have made a measurable difference in the mainstream-press it got, since it had already been popularized by digg. (Remember posting the front page story was trying to "damage control"/provide an analysis for the original digg story.) Most of the news reports are referencing Sophos and other security companies who made published press releases that morning claiming it was the first virus

Click to expand...

I would have to agree with Arn on this. In our paper this morning "The Calgary Herald" It did not one mention mac rumors on the the at the very very end saying it came from a well known mac rumor site. I don't think anything macrumors.com would have done different would have changed a thing.
Thanks arn keep up the good work.

In these times we are so comfortable to let other people make decisions for us (that way we'll always have somebody to blame), but the reality is anyone who opened this "virus" or malware did so of their own choosing. People chose whether or not they wanted to open something that was posted by an unknown and relatively new member of a public forum.

MacRumors attracts a broad audience
of both consumers and professionals interested in
the latest technologies and products. We also boast an active community focused on
purchasing decisions and technical aspects of the iPhone, iPod, iPad, and Mac platforms.